All Versions
Latest Version
Avg Release Cycle
34 days
Latest Release
330 days ago

Changelog History
Page 1

  • v2.26.1 Changes

    November 08, 2022
    • ๐Ÿ›  Fix regression in QR code generation in otp feature causing all black QR code (janko) (#279)
  • v2.26.0 Changes

    October 21, 2022
    • Raise a more informative error when using a feature requiring hmac_secret but not setting hmac_secret (janko) (#271)

    • Limit parameter bytesize to 1024 by default, override with max_param_bytesize configuration method (jeremyevans)

    • Skip displaying links for disabled routes (janko) (#269)

    • Do not prefix flash keys with the session key prefix (jeremyevans) (#266)

    • ๐Ÿ”ง Set configuration_name correctly for internal request classes (janko) (#265)

    • โž• Add argon2_secret configuration method to the argon2 feature to specify the secret/pepper used for argon2 password hashes (janko) (#264)

    • ๐Ÿ‘‰ Use white background instead of transparent background for QR code in otp feature (jeremyevans) (#256)

  • v2.25.0 Changes

    June 22, 2022
    • ๐Ÿ‘Œ Support disabling routes by passing nil/false to *_route methods (janko) (#245)
  • v2.24.0 Changes

    May 24, 2022
    • โ†ช Work around implicit null byte check added in bcrypt 3.1.18 by checking password requirements before other password checks (jeremyevans)

    • ๐Ÿ›  Fix invalid HTML on pages with OTP QR codes (jeremyevans)

    • Add recovery_codes_available? configuration method to the recovery_codes feature (janko) (#238)

    • โž• Add otp_available? configuration method to the otp feature (janko) (#238)

  • v2.23.0 Changes

    April 22, 2022
    • Don't automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)

    • ๐Ÿ›  Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)

    • ๐Ÿ‘‰ Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)

    • ๐Ÿ‘‰ Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)

  • v2.22.0 Changes

    March 22, 2022
    • Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)

    • ๐Ÿ– Handle sessions created before active_sessions feature was enabled during logout (jeremyevans) (#224)

    • Add reset_password_notify for emailing users after successful password resets (jeremyevans)

    • An email method can now be used in external features to DRY up email creation code (jeremyevans)

    • The change_password_notify feature now correctly handles template precompilation (jeremyevans)

    • ๐Ÿ›  Fix update_sms to update stored sms hash (bjeanes) (#222)

  • v2.21.0 Changes

    February 23, 2022
    • Avoid extra bcrypt hashing on account verification when using account_password_hash_column (janko) (#217)

    • ๐Ÿ‘‰ Make require_account public (janko) (#212)

    • ๐Ÿ‘ฎ Force specific date/time format when displaying webauthn last use time (jeremyevans)

    • Automatically clear the session in require_login if users go beyond verify account grace period (janko) (#211)

    • Fix typo in default value of global_logout_label in active_sessions plugin (sterlzbd) (#209)

  • v2.20.0 Changes

    January 24, 2022
    • Change the default implementation of webauth_rp_id to not include the port (jeremyevans) (#203)

    • ๐Ÿšš Make logout of all sessions in active_sessions plugin also remove remember key if using remember plugin (jeremyevans)

  • v2.19.0 Changes

    December 22, 2021
    • Add login_maximum_bytes, setting the maximum number of bytes in a login, 255 by default (jeremyevans)

    • Add password_maximum_bytes, setting the maximum number of bytes in a password, nil by default for no limit (jeremyevans)

    • Add password_maximum_length, setting the maximum number of characters in a password, nil by default for no limit (jeremyevans)

    • ๐Ÿ‘Œ Support multi-level inheritance of Rodauth::Auth (janko) (#191)

    • ๐Ÿ‘ Allow internal_request feature to work correctly when loaded into custom Rodauth::Auth subclasses before loading into a Roda application (janko) (#190)

    • Assign internal subclass created by internal_request feature to the InternalRequest constant (janko) (#187)

  • v2.18.0 Changes

    November 23, 2021
    • ๐Ÿ‘ Allow JSON API access to /multifactor-manage to get links to setup/disable multifactor authentication endpoints (jeremyevans)

    • ๐Ÿ‘ Allow JSON API access to /multifactor-auth to get links to possible multifactor authentication endpoints (jeremyevans)

    • Set configuration_name on class passed via :auth_class option if not already set (janko, jeremyevans) (#181)

    • ๐Ÿ’… Use viewbox: true option when creating QR code in otp feature, displays better and easier to style when using rqrcode 2+ (jeremyevans)

    • ๐Ÿ‘‰ Make argon2 feature work with argon2 2.1.0 (jeremyevans)